Inherited Client moving from MPLS to VPN

  • Hopefully this is the right forum. I've used PFSense for some time with other clients, but not quite at this level. I inherited a client literally from a guy that died.  :'(

    The current configuration is two offices with 20-25 workstations each, ESXi at both locations, Exchange at Location 1. Most workstations are using static IPs although as I am joining them to the Win2k8 domain I am converting them to DHCP. There is an MPLS link between the two locations as shown below. Location 2 routes all traffic through Location 1 then onto the Internet. There are lots of reasons to get away from this and give Internet connectivity to both offices directly. So, they have added BrightHouse 70/5 to both locations and want me to link them together with a VPN/firewall. The new connections are just terminated at the modems at each location so the cart isn't completely in front of the horse.

    I don't really want to change the IP ranges (Location 1 is and Location 2 is Both locations need to use server resources at the other location. I can summarize them as so I do plan to stay with these ranges unless someone has a better solution.

    I can use anything for the site-to-site link but need to also have mobile VPN capability for about 5 users with access to both locations without having to VPN into each Location depending on where they need resources. I think that will be no problem if the mobile user VPNs to Location 1 and needs resources at Location 2 but I need to look into that a little more.

    Anyway, if anyone has any suggestions I'm open. I have an ESXi 5 server at each location with two open NICs that I plan to use for PFSense.


  • This should be no problem to implement. I use OpenVPN and a site-to-site link between those 2 subnets is easy. I have 2 main offices like that (plus branches) and put a road warrior OpenVPN server listening at each main office. Users can have the OpenVPN client installed with 2 configs, for connection to either office, so if one is down they can try the other. Give each Road Warrior server a subnet and include that wherever you mention a remote office LAN in the "Remote Networks" box when you setup the OpenVPN link/s. That way Location 2 can have a route to Location 1 LAN and Location 1 Road Warrior subnets, and vice versa.